b'\x0cGENERAL SERVICES ADMINISTRATION\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     AUDIT OF GSA\xe2\x80\x99S\n                PURCHASE CARD PROGRAM\n             REPORT NUMBER: A080090/B/F/F09006\n                       MAY 11, 2009\n\n\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\x0c                                AUDIT OF GSA\xe2\x80\x99S\n                           PURCHASE CARD PROGRAM\n                        REPORT NUMBER: A080090/B/F/F09006\n\n                               TABLE OF CONTENTS\n\n                                                                            Page\nEXECUTIVE SUMMARY                                                             i\n\nINTRODUCTION                                                                 1\n\n     Background                                                              1\n\n     Objective, Scope and Methodology                                        2\n\nRESULTS OF AUDIT                                                             3\n\n     Results in Brief                                                        3\n\n     Finding 1: Inadequate Compliance with Policies Over the Purchase        3\n                Card Application, Maintenance and Account Closure Process\n\n     Finding 2: Reasonableness of Cardholder to Approving                    4\n                Official Ratios\n\n     Finding 3: Unallowable Use of the GSA Purchase Card for                 4\n                Fleet Related Transactions\n\n     Finding 4: Notification of Fraudulent Charges to the Office of          5\n                Inspector General\n\nCONCLUSION                                                                   5\n\nRECOMMENDATIONS                                                              6\n\nMANAGEMENT\xe2\x80\x99S RESPONSE                                                        6\n\nMANAGEMENT CONTROLS                                                          7\n\nAPPENDIX A: MANAGEMENT\xe2\x80\x99S RESPONSE TO DRAFT REPORT                            A-1\n\nAPPENDIX B: REPORT DISTRIBUTION                                              B-1\n\x0c                                                         AUDIT OF GSA\xe2\x80\x99S\n                                                    PURCHASE CARD PROGRAM\n                                                 REPORT NUMBER: A080090/B/F/F09006\n\n                                                               EXECUTIVE SUMMARY\nPurpose\n\nThe objectives of the audit were to determine: (1) if satisfactory management controls\nexist for the ordering and accepting of goods and services by credit cardholders, and (2)\nif supervisors of credit cardholders are doing enough to protect the integrity of the\ngovernment purchase function. The scope of our audit work included all General\nServices Administration (GSA) regions.\n\nBackground\n\nThe GSA SmartPay\xc2\xae program provides travel, purchase, fleet, and integrated charge\ncards to U.S. government agencies through master contracts with major national banks.\nThe SmartPay\xc2\xae program allows participating agencies to streamline their procurement\nand payment processes, and provides significant administrative savings through the use\nof charge cards. In November 1998, GSA awarded Citibank its purchase card contract,\nand GSA cardholders began using the bank\xe2\x80\x99s purchase card to procure micro-\npurchases for needed supplies and services. The Office of the Chief Financial Officer\n(OCFO) is responsible for administering the program for the Agency.\n\nGSA\xe2\x80\x99s policy regarding use of the purchase card is contained in CFO Order 4200.1,\nGuidance on Use of the Credit Card for Purchases. This policy allows authorized\nemployees to use the purchase card whenever possible to make micro-purchases (i.e.,\nsmall procurements up to $3,000 for supplies and services1 or $2,000 for building\nservices and alterations) on behalf of the Agency. Contracting officers are also\nencouraged to use the card as a payment vehicle when placing orders valued over\n$2,500 against established contracts that authorize use of the card, and for other\ncontracts when contractors agree to accept payment by credit card.\n\nResults in Brief\n\nOur audit found instances where administrative duties to be followed by cardholders,\nApproving Officials (AOs) and program coordinators outlined in CFO Order 4200.1,\nwere not adhered to in the procurement and acquisition of supplies and services.\nSpecifically, our audit noted the following:\n\n       \xe2\x80\xa2      Inadequate controls over the purchase card application, maintenance, and\n              account closure process;\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n Prior to the Office of the Chief Financial Officer\xe2\x80\x99s Memo dated 2/13/2007, the amount of the micro-\npurchase threshold for procurements of supplies and services was $2,500.\n\n\n\xc2\xa0                                                                      i                               \xc2\xa0\n\x0c    \xe2\x80\xa2   An absence of policy to ensure the reasonableness of the span of control of AOs\n        and cardholders;\n    \xe2\x80\xa2   Use of the GSA purchase card for fleet related transactions; and\n    \xe2\x80\xa2   Instances in which the Office of Inspector General (OIG) was not notified of\n        possible card misuse and/or abuse, as required.\n\nRecommendations\n\nWe recommend that the OCFO ensures that current purchase card polices are followed\nand consistently applied Agency-wide. Additionally, we recommend that an audit trail\nbe maintained by cardholders, AOs, and purchase card coordinators for all aspects of\nthe account application, maintenance, and closure process. We further recommend\nthat the OCFO revise its current guidance to include the following: an established\ntimeframe for the cancellation of cardholder accounts upon an employee\xe2\x80\x99s separation\nfrom the agency; and guidance on the span of control delegated to AOs (i.e., cardholder\nto AO ratios).\n\n\n\n\n\xc2\xa0                                           ii                                            \xc2\xa0\n\x0c                                                            AUDIT OF GSA\xe2\x80\x99S\n                                                        PURCHASE CARD PROGRAM\n                                                     REPORT NUMBER: A080090/B/F/F09006\n\n                                                               INTRODUCTION\n\nBackground\n\nThe General Services Administration\xe2\x80\x99s (GSA) SmartPay\xc2\xae program provides travel,\npurchase, fleet, and integrated charge cards to U.S. government agencies through\nmaster contracts with major national banks. The SmartPay\xc2\xae program allows\nparticipating agencies to streamline their procurement and payment processes, and\nprovides significant administrative savings through the use of charge cards. In\nNovember 1998, GSA awarded Citibank its purchase card contract, and GSA\ncardholders began using the bank\xe2\x80\x99s purchase card to procure micro-purchases for\nneeded supplies and services.\n\nThe Office of the Chief Financial Officer (OCFO) is responsible for administering the\nprogram for the Agency. Specifically, the Agency-wide purchase card program\ncoordinator is the liaison between GSA and Citibank, who oversees the purchase card\nprogram; establishes policy and administrative procedures for use of the purchase card\nin GSA; monitors resolution of disputed purchases, credits, or billing errors; and\nprovides administrative support and training to regional program coordinators.\nAdditionally, the Agency-wide purchase card program coordinator approves changes to\nauthorization limits and authorized merchant codes; provides training for Central Office\ncardholders and Approving Officials (AOs); coordinates the applications for setup,\nmaintenance and cancellation of purchase card accounts for Central Office\norganizations; and conducts reviews of purchase card use. Regional purchase card\nprogram coordinators\xe2\x80\x99 responsibilities are similar to that of the Agency-wide purchase\ncard program coordinator except for the fact that they are only responsible for their\nrespective region.\n\nGSA\xe2\x80\x99s policy regarding use of the purchase card is contained in CFO Order 4200.1,\nGuidance on Use of the Credit Card for Purchases. This policy allows authorized\nemployees to use the purchase card whenever possible to make micro-purchases (i.e.,\nsmall procurements up to $3,000 for supplies and services2 or $2,000 for building\nservices and alterations) on behalf of the Agency. Contracting officers are also\nencouraged to use the card as a payment vehicle when placing orders valued over\n$2,500 against established contracts that authorize use of the card, and for other\ncontracts when contractors agree to accept payment by credit card. During fiscal year\n(FY) 2007, GSA purchase cardholders made approximately 116,000 purchase card\ncharges totaling $81.7 million under the SmartPay\xc2\xae program.\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n2\n Prior to the Office of the Chief Financial Officer\xe2\x80\x99s Memo dated 2/13/2007, the amount of the micro-\npurchase threshold for procurements of supplies and services was $2,500.\n\n\n                                                                    1                                  \xc2\xa0\n\n\n\n                                                                                                       \xc2\xa0\n\x0cWhile our audit period covered FY 2007 purchase card transactions, which were\nregulated under the initial GSA SmartPay\xc2\xae contract, effective November 30, 2008, GSA\nSmartPay 2\xc2\xae (SP2) was implemented to provide agencies with needed improvements\nin key areas such as enhanced customer service; systems and data security; enhanced\ndata capture; and tax reclamation. Banking institutions such as Citibank, JP Morgan\nChase, and U.S. Bank have been contracted to provide new and improved purchase,\ntravel, fleet and integrated charge card products to over 350 Federal agencies and\norganizations participating in the SP2 program. The new SmartPay\xc2\xae contract has a\nfour-year base period, with one four-year option period, and one three-year option\nperiod.\n\nObjectives, Scope, and Methodology\n\nThe objectives of the audit were to determine: (1) if satisfactory management controls\nexist for the ordering and accepting of goods and services by credit cardholders and (2)\nif supervisors of credit cardholders are doing enough to protect the integrity of the\ngovernment purchase function. The scope of our audit work included all GSA regions.\n\nTo accomplish our objectives, we obtained the universe of purchase card transactions\nprocessed by GSA cardholders during fiscal year 2007 (October 1, 2006 through\nSeptember 30, 2007) from Citibank. We then utilized the Office of Inspector General\n(OIG) Statisticians to generate the following samples:\n\n                                                                Confidence     Margin of\n          Audit Procedure                  Sample Size\n                                                                  Level         Error\nTest of Active Cardholders                53 Cardholders           90%             8\nTest of Closed Accounts                   48 Cardholders           90%             8\nTest of Approving Officials            48 Approving Officials      90%             8\nTest of Purchase Card Transactions       138 Transactions          90%             5\nTest of Questionable Transactions         54 Transactions         Judgmentally Selected\n\n\nWe obtained and reviewed supporting documentation relating to the test items from\nprogram coordinators, cardholders, and AOs to determine whether purchases were\nappropriate, legitimate, and in compliance with stated purchase card guidance as well\nas CFO Order 4200.1. In addition, we inquired with the Agency Purchase Card\nCoordinator and OIG personnel regarding actions taken upon being made aware of\nunauthorized or fraudulent transactions.\n\nThe audit field work, including site visits, Regional correspondence, research, analysis,\nand summarization was conducted during the period of December 2007 to November\n2008 and was conducted in accordance with Generally Accepted Government Auditing\n\n\n                                            2                                               \xc2\xa0\n\n\n\n                                                                                            \xc2\xa0\n\x0cStandards (GAGAS). Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n                                 RESULTS OF AUDIT\n\nResults in Brief\n\nOur audit found instances where administrative duties to be followed by cardholders,\nAOs, and program coordinators outlined in CFO Order 4200.1, were not adhered to in\nthe procurement and acquisition of supplies and services. \xc2\xa0\n\nAudit Findings\n\nFinding 1: Inadequate Compliance with Policies Over the Purchase Card Application,\nMaintenance and Account Closure Process\n\nOur FY 2007 audit of the GSA Purchase Card Program noted current practices\nemployed by program coordinators for the application, maintenance, and closure of\ncardholder accounts are not in compliance with the established guidelines provided in\nCFO Order 4200.1. Details of our findings related to the account application,\nmaintenance, and closure process are provided below.\n\n                       Account Application and Maintenance Process\nWe noted that 13 of 53 purchase cardholders and/or designated AOs selected for\ntesting did not have a completed GSA Form 3661 \xe2\x80\x93 Purchase Card Application and\nMaintenance \xe2\x80\x93 or lacked documentation verifying that the required purchase card\ntraining (initial and/or refresher) was completed. Per CFO Order 4200.1, cardholders\nmust submit a completed GSA Form 3661 to the appropriate regional purchase card\nprogram coordinator with sections I-III completed by the cardholder and section IV\nsigned by the appropriate Division Director/equivalent or higher level official and funds\nmanager.\n\n                                 Account Closure Process\nWe noted that 31 of 48 account closures tested did not submit a GSA Form 3661 to the\nappropriate Regional coordinator to cancel the account as outlined in CFO Order\n4200.1; moreover, three of the accounts tested were closed between 39 and 58 days\nafter employee separation. One of the three accounts had charges totaling\napproximately $3,800 that were made subsequent to the employee leaving GSA. Upon\nfurther investigation, we were able to determine that the post-separation charges were\neither the result of timing delays or pre-established auto-billings set up on the\n\n\n                                            3                                               \xc2\xa0\n\n\n\n                                                                                            \xc2\xa0\n\x0cemployee\xe2\x80\x99s account. We obtained supporting documentation and/or reasonable\nexplanations for the transactions and concluded that the employees\xe2\x80\x99 purchase cards\nwere not used by another GSA employee.\n\nCFO Order 4200.1 requires that cardholders submit a GSA Form 3661 to the\nappropriate regional coordinator to request cancellation or closure. As a result of\ninconsistent enforcement and adherence of current purchase card application and\nmaintenance policies, as well as insufficient guidance over the account closure process\nset forth in, CFO Order 4200.1, a risk exists for cardholder account abuse or fraud.\n\nFinding 2: Reasonableness of Cardholder to Approving Official Ratios\n\nDuring our FY 2007 audit of the GSA Purchase Card Program, we noted the Agency\ndoes not have a policy to ensure that the span of control (i.e., review responsibilities\nand ratio of cardholders to AOs) is reasonable. While the Agency reported to OMB a\ncardholder to AO ratio of 2.9:1 for the program (in FY 2007), our review found several\ninstances where that ratio was exceeded, noting an inequitable delegation of review\nresponsibilities for AOs across the Agency.\n\nAlthough CFO Order 4200.1 does not provide specific guidance for cardholder to AO\nratios, OMB Circular A-123, Appendix B requires that the Agency maintain for their own\nuse a ratio of AOs to purchase cardholders (span of control) and an average number of\nmonthly purchase card transactions approved per AO. Over-extended AOs may not\nconsistently perform their review responsibilities, which may result in potential\ncardholder abuse or fraud.\n\nFinding 3: Unallowable Use of the GSA Purchase Card for Fleet Related Transactions\n\nDuring our test of FY 2007 purchase card transactions, we noted four instances where\ncardholders used their purchase card to make fleet related purchases. Specifically,\nsupporting documentation provided for the purchases showed that approximately\n$3,000 was charged for oil and/or maintenance related services for fleet purposes.\nFurthermore, two of the four transactions in question did not have evidence of any\nwritten supervisory approval of the purchase.\n\nAccording to CFO Order 4200.1, \xe2\x80\x9cpurchases for GSA Fleet vehicles must be made\nusing the fleet services card (part of the SmartPay\xc2\xae program) in order that\xe2\x80\xa6 expenses\nare recorded to the proper vehicles. Any exceptions to use of the fleet services card for\nGSA vehicles must be approved by the Director, Fleet Management Division (FFF).\xe2\x80\x9d\n\nImproper use of the GSA purchase card for prohibited purchases weakens the purpose\nof the Agency\xe2\x80\x99s policy and other governing regulations.\n\n\n\n\n                                            4                                               \xc2\xa0\n\n\n\n                                                                                            \xc2\xa0\n\x0cFinding 4: Notification of Fraudulent Charges to the Office of Inspector General (OIG)\n\nOur sample for testing included three transactions, totaling approximately $8,790, which\nwere identified by the cardholders and reported to Citibank and the Agency as\nfraudulent in nature. Specifically, the three transactions were coded in the Citibank\nReporting System with an account status code of "stolen / unauthorized". Upon further\ninvestigation, we learned that the charges were reported by the cardholders to Citibank\nas a result of their card(s) being stolen, lost, and/or misused. The transactions varied in\ndisposition, from casino hotel charges, to airplane tickets, and food. We determined that\nthese fraudulent transactions were resolved, and related expenditures were recouped\nby the Agency. However, we found no evidence that these three transactions were\nproperly communicated to the OIG, as required per CFO Order 4200.1.\n\nPer CFO Order 4200.1, "GSA would be liable for any use of the card by authorized\ncardholders. Therefore, the approving official must notify the Office of the Inspector\nGeneral and the purchase card program coordinator immediately upon becoming aware\nof the occurrence of any unauthorized purchases, negligence, or misuse of the\npurchase card."\n\nAs a result of inconsistent enforcement and lack of adherence to the Agency\xe2\x80\x99s purchase\ncard policies \xe2\x80\x93 particularly pertaining to unauthorized purchases \xe2\x80\x93 negligence or misuse\nof the purchase card, as well as controls designed for the safeguarding and monitoring\nof the purchase card program are weakened.\n\n                                    CONCLUSION\n\nOur FY 2007 audit of the GSA Purchase Card Program noted instances where\nadministrative duties to be followed by cardholders, AOs, and program coordinators\nwere not always adhered to, as outlined in CFO Order 4200.1. Specifically, we noted\ninadequate controls over the purchase card application, maintenance and account\nclosure process; an absence of policy regarding the span of control of AOs; instances of\ninsufficient documentation of supervisory approval of purchase card transactions; and\nuse of the GSA purchase card for fleet related transactions, without documented\nexception. Also, there was no evidence of whether the OIG was notified of possible\ncard misuse and/or abuse, as required per purchase card guidance.\n\nIn brief, we recommend that the OCFO ensures that current purchase card policies are\nfollowed and consistently applied Agency-wide. We also recommend that current\nguidance be revised to emphasize the importance of maintaining a complete audit trail;\nenforcing the timeliness of account closures; and performing thorough supervisory\nreviews and oversight for all purchase card purchases. By addressing these areas of\nconcern, management can further ensure a more efficient and effective purchase card\nprogram. This is particularly important as the Agency could potentially experience\nincreased purchase card activity during the implementation of the American Recovery\n\n\n                                            5                                                 \xc2\xa0\n\n\n\n                                                                                              \xc2\xa0\n\x0cand Reinvestment Act of 2009; therefore, management should be cognizant and\nproactive in mitigating potential waste, fraud, and abuse of purchase card transactions\nrelating to the economic stimulus package.\n\n\n                               RECOMMENDATIONS\n\nWe recommend that the Office of the Chief Financial Officer take steps to ensure a\nmore efficient and effective purchase card program by:\n\n   1. Ensuring that current purchase card policies are followed and consistently\n      applied Agency-wide. Additionally, we recommend that an audit trail be\n      maintained by cardholders, AOs and purchase card coordinators for all aspects\n      of the account application, maintenance, and closure processes. We further\n      recommend that the OCFO revise its guidance on the account closure process to\n      establish a timeframe for the cancellation of cardholder accounts.\n\n   2. Revising CFO Order 4200.1 to include guidance on the span of control and\n      oversight responsibilities delegated to AOs; specifically, as it pertains to the ratio\n      of cardholders to AOs, as required by OMB Circular A-123, Appendix B.\n\n   3. Ensuring that all guidelines are followed when using government funds to\n      purchase goods and services, avoiding contradiction with the Agency\xe2\x80\x99s guidance\n      and other regulations. We further recommend that management ensures that in\n      cases of exceptions to the policy, that the necessary approvals needed to\n      authorize the purchases are documented and maintained in the cardholder\n      account file (i.e., in an audit trail).\n\n   4. Ensuring guidance pertaining to the proper notification of all parties, in\n      accordance with CFO Order 4200.1, of any unauthorized purchases, negligence,\n      or misuse of the purchase card is followed.\n\n\n                          MANAGEMENT\xe2\x80\x99S RESPONSE\n\nManagement\xe2\x80\x99s response dated April 22, 2009 states they concur in part with the audit\nfindings and recommendations noted in the audit report. This final audit report reflects\nchanges that were made based on our review and analysis of additional audit\ndocumentation and in response to management\xe2\x80\x99s response of the draft audit report\nissued February 25, 2009. A copy of management\xe2\x80\x99s comments is provided in its\nentirety in Appendix A.\n\n\n\n\n                                             6                                                 \xc2\xa0\n\n\n\n                                                                                               \xc2\xa0\n\x0c                           MANAGEMENT CONTROLS\nThe objective of our audit was to determine if satisfactory management controls exist for\nthe procurement of goods and services by GSA purchase card holders during fiscal\nyear 2007; and if supervisors of cardholders were doing enough to protect the integrity\nof the government procurement function. As part of the audit, we reviewed the controls\nover the purchase card application and maintenance process, as well as the purchase\ncard procurement process. During our audit, we noted concerns with regard to the\ncompleteness and the maintenance of an audit trail of the forms required to establish a\npurchase card account. In addition, we identified instances where the GSA purchase\ncard was used for fleet related transactions. We have included recommendations in this\nreport to address these issues.\n\n\nWe would like to thank the Office of the Chief Financial Officer for the courtesies\nextended to us during our review. If you have any questions regarding this report,\nplease do not hesitate to call Anthony Mitchell, Audit Manager, at 202-501-0006.\n\n\n\n\nAnthony Mitchell\nAudit Manager\nFinance and Administrative Audit Office (JA-F)\n\n\n\n\n                                            7                                               \xc2\xa0\n\n\n\n                                                                                            \xc2\xa0\n\x0c                                                                                                     \xc2\xa0\n\n                                    APPENDIX A\n\n                  AUDIT OF GSA\xe2\x80\x99S PURCHASE CARD PROGRAM\n                      REPORT NUMBER: A080090/B/F/F09006\n                                             \xc2\xa0\n  GSA OFFICE OF THE CHIEF FINANCIAL OFFICER\xe2\x80\x99S RESPONSE TO THE DRAFT\n       REPORT OF THE AUDIT OF GSA\xe2\x80\x99S PURCHASE CARD PROGRAM\n\n\n\n\nMay 6, 2009\n\nMEMORANDUM FOR JEFFREY C. WOMACK, CPA\n               DEPUTY ASSISTANT INSPECTOR GENERAL\n               FOR FINANCE AND ADMINISTRATIVE AUDITS\n\nFROM:                  KATHLEEN M. TURCO\n                       CHIEF FINANCIAL OFFICER (B)\n\nSUBJECT:               Audit of GSA\xe2\x80\x99s Purchase Card Program,\n                       Report Number: A080090/B/F/\n\n\nThank you for providing me with the opportunity to review the Office of the Inspector\nGeneral (OIG) audit results on the U.S. General Services Administration (GSA)\npurchase card program. The Office of the Chief Financial Officer (OCFO) is committed\nto continually assess and improve the internal controls and reduce the risk of fraud,\nwaste, and abuse in the GSA charge card program. The attachment provides relevant\nfeedback to address the OIG findings.\n\nAs in the past, GSA management has been responsive in implementing appropriate\nOIG recommendations. GSA recognizes that the OIG can provide invaluable\nassistance in the management of its programs. I look forward to continuing to work with the\nOIG to promote government efficiency and effectiveness.\n\n\nAttachment\n\n\n\n\n                                                              U.S. General Services Administration\n                                                              1800 F Street, NW\n                                          A-1                 Washington DC 20405-0002\n                                                              www.gsa.gov\n\x0c       GSA OFFICE OF THE CHIEF FINANCIAL OFFICER RESPONSE\n            AUDIT OF GSA\xe2\x80\x99S PURCHASE CARD PROGRAM\n                  REPORT NUMBER: A080090/B/F/\n                       DATED APRIL 22, 2009\n\n\n\nThe Office of the Chief Financial Officer (OCFO) would like to thank the Office of\nthe Inspector General (OIG) for reviewing GSA\'s purchase card program and\nproviding important feedback in order to improve the effectiveness of the\nprogram. The OCFO is committed to prescribing policies and procedures to\nmaintain internal controls that reduce the risk of fraud, waste, and abuse in\nGSA\'s government charge card program.\n\nA. General\n\nGSA has management controls, policies and procedures, and review processes\nto ensure proper use of the purchase card and monitor its use. The following\nreports, processes and reviews are in place to strengthen the oversight and\nmanagement of the program:\n\n   \xe2\x80\xa2   In most cases, the approving officials (AOs) at GSA are front line\n       managers supervising the cardholder. At month end, the Pegasys (GSA\xe2\x80\x99s\n       financial system of record) charge card module automatically emails AOs\n       a consolidated report of all their cardholders\xe2\x80\x99 charge card transactions. An\n       AO can also elect to receive daily emails of new charge activity, as it\n       occurs, and also assess a variety of reports on their cardholders at\n       anytime from the Pegasys reports module. All AOs are required to review\n       their monthly reports and take action on all unauthorized charges. In\n       addition, the Office of the Chief Financial Officer monitors AO reviews to\n       ensure completion.\n\n   \xe2\x80\xa2   An Impending Suspensions Report contains the names of AOs who failed\n       to review three or more monthly statements. Approving Officials have 10\n       days to certify their review of transactions or the spending authority for\n       their cardholders will be suspended.\n\n   \xe2\x80\xa2   A Questionable Charges Report is sent to Heads of Services and Staff\n       offices (HSSOs), Regional Administrators (RAs), and the OIG for review\n       and action.\n\n   \xe2\x80\xa2   The OCFO conducts a 100 percent monthly reconciliation of active\n       purchase card accounts with the issuing bank, Citibank, to active\n       personnel on the payroll records. A comparison is made between the two\n       reports. The Citibank cardholders\xe2\x80\x99 accounts are cancelled for any active\n       cardholders who are not listed on the payroll records.\n\n\n                                       A-2\n\x0c   \xe2\x80\xa2   On all cards, GSA has set the expiration date at two years from issuance.\n       This provides some measure of protection against accounts remaining\n       open indefinitely.\n\n   \xe2\x80\xa2   Random sampling and review of purchase card transactions and\n       documentation is performed by the Kansas City Financial Services\n       Division.\n\n   \xe2\x80\xa2   A review of inactive cardholder accounts is performed semi-annually. The\n       OCFO submits a report to regional coordinators who work with their\n       approving officials to ascertain whether the accounts are still needed.\n       Accounts that are no longer needed are cancelled with Citibank.\n\n   \xe2\x80\xa2   During the annual internal control assessment under OMB Circular A-123,\n       Appendix A, Internal Control over Financial Reporting, the OCFO performs\n       tests of internal controls in the charge card program. Upon identification\n       of internal control deficiencies, corrective action plans are developed for\n       remediation.\n\nB. Comments on Findings\n\nAudit Finding 1: Inadequate Compliance with Policies Over the Purchase\nCard Application, Maintenance and Account Closure Process\n\n                 Account Application and Maintenance Process\n\nOIG Finding: We noted that 13 of 53 purchase cardholders and/or designated\nAOs selected for testing did not have a completed GSA Form 3661 \xe2\x80\x93 Purchase\nCard Application and Maintenance \xe2\x80\x93 or lacked documentation verifying that the\nrequired purchase card training (initial and/or refresher) was completed. Per CFO\nOrder 4200.1, cardholders must submit a completed GSA Form 3661 to the\nappropriate regional purchase card program coordinator with sections I-III\ncompleted by the cardholder and section IV signed by the appropriate Division\nDirector/equivalent or higher level official and funds manager.\n\nOIG Recommendation: Ensure that current purchase card policies are followed\nand consistently applied Agency-wide. Additionally, we recommend that an audit\ntrail be maintained by cardholders, AOs and purchase card coordinators for all\naspects of the account application, maintenance, and closure processes.\n\nManagement Response: As a practice, some coordinators verify the\ncompletion of cardholder and AO training through GSA Online University (OLU)\nand annotate this information on the GSA Form 3661. Therefore, the coordinator\nmay not have maintained a certificate of training for each cardholder and/or\napproving official.\n\n\n                                       A-3\n\x0cThere are two signatures on the GSA Form 3661 \xe2\x80\x93 Requesting Official and\nFunds Manager. The Funds Manager signature denotes approval of the monthly\nspending limits (30 Day Purchase Limit on the form) and is only needed for new\ncardholder accounts and changes to the monthly spending limits.\n\nRegarding the lack of AO training or supervisory approvals on the GSA Form\n3661, we were unable to determine whether there was an issue with the AO\ntraining or with supervisory approval. In the majority of cases, we are confident\nthat the supporting documentation existed and could have been provided if the\nname of the AO and the specific issue was identified.\n\n                            Account Closure Process\n\nOIG Finding: We noted that 31 of 48 account closures tested did not submit a\nGSA Form 3661 to the appropriate Regional coordinator to cancel the account as\noutlined in CFO Order 4200.1; moreover, three of the accounts tested were\nclosed between 39 and 58 days after employee separation. One of the three\naccounts had charges totaling approximately $3,800 that were made subsequent\nto the employee leaving GSA. Upon further investigation, we were able to\ndetermine that the post-separation charges were either the result of timing delays\nor pre-established auto-billings set up on the employee\xe2\x80\x99s account. We obtained\nsupporting documentation and/or reasonable explanations for the transactions\nand concluded that the employees\xe2\x80\x99 purchase cards were not used by another\nGSA employee.\n\nOIG Recommendation: We recommend that the OCFO revise its guidance on\nthe account closure process to establish a timeframe for the cancellation of\ncardholder accounts.\n\nManagement Response: The OCFO agrees with the recommendation to\nestablish a timeframe for cancellation of cardholder accounts and will revise the\ncurrent policy. Although the CFO Order 4200.1, Guidance on Use of the Credit\nCard for Purchases, requires a GSA Form 3661 for account cancellation, the\ncurrent practice has been to accept other forms of written documentation in lieu\nof the form. The OCFO will modify its policy to reflect these practices.\n\nIn addition, the OCFO instituted a process to ensure that accounts are closed\nwith the issuing bank for cardholders who have separated from GSA. In this\nprocess, a monthly file of active cardholders from the issuing bank is matched\nwith a current GSA payroll file. Any cardholder account that does not tie to the\nGSA payroll file is cancelled directly with the issuing bank by the OCFO. The\npurchase card program operates on monthly cycles. Therefore, if an employee\nseparates from the agency at the beginning of a cycle, this process of report\ngeneration, review, and account closure can take approximately 60 days.\n\n\n\n\n                                       A-4\n\x0cWe do not concur with the final section, \xe2\x80\x9cTwo of the six accounts had charges\xe2\x80\xa6\xe2\x80\x9d\nDue to the nature of charge card business, purchases may be made during the\ntime that a purchase cardholder is a GSA employee; however, the merchant may\nprocess those transactions and the issuing bank post those transactions after a\ncardholder leaves the agency. The OIG found all of the post-separation charges\nto be of this nature. Therefore, the OIG finding section beginning with \xe2\x80\x9cTwo of\nthe six accounts \xe2\x80\xa6\xe2\x80\x9d to the end should be deleted as it is not a finding. It is also\nnot reflected in the recommendation.\n\nAudit Finding 2: Reasonableness of Cardholder to Approving Official\nRatios\n\nOIG Finding: The Agency does not have a policy to ensure that the span of\ncontrol (i.e., review responsibilities and ratio of cardholders to AOs) is\nreasonable. While the Agency reported to OMB a cardholder to AO ratio of 2.9:1\nfor the program (in FY 2007), our review found several instances where that ratio\nwas exceeded, noting an inequitable delegation of review responsibilities for AOs\nacross the Agency.\n\nOIG Recommendation: Revise the CFO Order 4200.1 to include guidance on\nthe span of control and oversight responsibilities delegated to AOs; specifically,\nas it pertains to the ratio of cardholders to AOs, as required by OMB Circular\nA-123, Appendix B.\n\nManagement Response: The OCFO concurs with the recommendation to\nprovide additional policy guidance on the span of control to include a reasonable\nratio of cardholders to an AO. In addition, reports will be periodically generated\nto monitor this span of control. As required by OMB, GSA reported an actual\ncardholder to AO ratio of 2.9:1 during FY 2007. This number was an average of\nall cardholders to AOs and does not reflect a ratio established by GSA or OMB.\n\nAudit Finding 3: Unallowable Use of the GSA Purchase Card for Fleet\nRelated Transactions\n\nOIG Finding: We noted four instances where cardholders used their purchase\ncard to make fleet related purchases. Specifically, supporting documentation\nprovided for the purchases showed that approximately $3,000 was charged for\noil and/or maintenance related services for fleet purposes. Furthermore, two of\nthe four transactions in question did not have evidence of any written supervisory\napproval of the purchase.\n\nOIG Recommendation: Ensure that all guidelines are followed when using\ngovernment funds to purchase goods and services, avoiding contradiction with\nthe Agency\xe2\x80\x99s guidance and other regulations. We further recommend that\nmanagement ensures that in cases of exceptions to the policy, that the\n\n\n\n\n                                        A-5\n\x0cnecessary approvals needed to authorize the purchase are documented and\nmaintained in the cardholder account file (i.e., in an audit trail).\n\nManagement Response: The OCFO sends a monthly Questionable Charges\nReport to HSSOs and RAs. One of the items captured on this report is fleet-\nrelated purchases. According to OCFO policy, the AO is responsible for\ninvestigating and resolving these purchases to determine whether appropriate\naction was taken, i.e., investigating the circumstances of the purchases and\ntaking appropriate disciplinary action as necessary. Some cardholders have\npurchase, fleet and/or travel cards and have mistakenly used the wrong card on\noccasion. We recommend that the OIG follow-up with the appropriate purchase\ncard coordinator to verify that these transactions were reflected on the monthly\nQuestionable Charges report and whether officials took the appropriate action to\nresolve the matter. In addition, the OCFO regularly tests samples of\nquestionable charges during A-123 reviews to determine whether management is\nfollowing up and resolving these charges as appropriate.\n\nAudit Finding 4: Notification of Fraudulent Charges to the Office of\nInspector General\n\nOIG Finding: Our sample for testing included three transactions, totaling\napproximately $8,790, which were identified by the cardholders and reported to\nCitibank and the Agency as fraudulent in nature. Specifically, the three\ntransactions were coded in the Citibank Reporting System with an account status\ncode of \xe2\x80\x9cstolen / unauthorized\xe2\x80\x9d. Upon further investigation, we learned that the\ncharges were reported by the cardholders to Citibank as a result of their cards(s)\nbeing stolen, lost, and/or misused. The transactions varied in disposition, from\ncasino hotel charges, to airplane tickets, and food. We determined that these\nfraudulent transactions were resolved, and related expenditures were recouped\nby the Agency. However, we found no evidence that these three transactions\nwere properly communicated to the OIG, as required per CFO Order 4200.1.\n\nOIG Recommendation: Ensure guidance pertaining to the proper notification of\nall parties, in accordance with CFO Order 4200.1, of any unauthorized\npurchases, negligence, or misuse of the purchase card is followed.\n\nManagement Response: The OCFO concurs with this finding. Although the\nintent of the OCFO policy requires notification to the OIG upon cardholder\nmisuse, it is not explicitly stated. The OCFO will modify its policy to provide\nclarification on when matters should be reported to the OIG.\n\nThe audit report states that cardholders reported transactions to Citibank and the\nAgency that were fraudulent in nature. Those charges were reported to Citibank\nas a result of their card(s) being stolen, lost, and/or misused. The report stated\nthat there was no evidence that those transactions were properly communicated\nto the OIG. However, the intent of the policy is to notify the OIG upon fraud or\n\n\n\n                                       A-6\n\x0cmisuse of the card by an authorized cardholder, not for each incidence of lost or\nstolen cards, or disputed transactions. It is the cardholder\xe2\x80\x99s responsibility to\nimmediately report lost or stolen cards directly to the bank in accordance with the\ncardholder agreement. In addition, non-recognized charges are reported to the\nbank through the dispute process. It is the bank\xe2\x80\x99s responsibility to initiate an\ninvestigation of those charges.\n\nIn addition, the OCFO sends OIG monthly reports of detailed transaction data for\neach cardholder, monthly Questionable Charges reports, and provides them\naccess to Citibank\xe2\x80\x99s electronic reporting system for review purposes.\n\n\n\n\n                                       A-7\n\x0c                                                                          \xc2\xa0\n\n\n                                    APPENDIX B\n\n                AUDIT OF GSA\xe2\x80\x99S PURCHASE CARD PROGRAM\n                    REPORT NUMBER: A080090/B/F/F09006\n\n\nReport Distribution                                              Copies\n\nOffice of the Chief Financial Officer (B)                          3\n\nInternal Control and Audit Division (BEI)                          1\n\nAudit Planning, Policy and Operations Staff (JAO)                  1\n\nAssistant Inspector General for Auditing (JA)                      1\n\nAssistant Inspector General for Investigations (JI)                1\n\nInspector General (J)                                              1*\n\nDeputy Inspector General (JD)                                      1*\n\nSpecial Assistant for Communications and Congressional Affairs (JD) 1*\n\nExecutive Assistant for Management (JD)                            1*\n\n* Audit report distributed electronically.\n\n\n\n\n                                             B-1\n\n                                                                          \xc2\xa0\n\x0c'